How to Exclude a Device from Azure AD Dynamic Device Group

AAD dynamic groups are very useful in managing devices and deploying configuration policies to a group of devices. The scenarios of creating dynamic device can be quite complex at times. This post will give you an example to start with.

0
Advertisement

We discussed about creating Azure AD Dynamic Device or User groups in my previous post “How to Create Azure AD Dynamic Groups for Managing Devices via Intune“. Another question I usually get is “How to remove or Exclude a device from Azure Active Directory Dynamic Device Group”. I expect this could be one of the scenario which will be used in deployment of security/configuration policies via Intune. This is very valid scenario and you can’t avoid this kind of scenarios in device management world. No explanation is needed if you are an experienced SCCM Admin.

It’s not quite possible to remove a single device directly from AAD Dynamic device group. Yes, there is a remove button available but when you select a device and click on that remove button and it will give a confirmation popup with an YES button. If click on YES button, it will give an error stating you can’t remove the device from Azure AD dynamic device group. “Failed to remove member LENexus 5 from group _Android Devices”. However, this can be achieved by adding some condition to the advance membership rule query in AAD dynamic groups.

AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expressions are separated by a conditional operator either ‘and” or “or“. You can play around with this conditional operator to remove the devices from AAD dynamic device or user groups.

Following is the advanced membership rule query which I used in AAD dynamic device group to remove a device. In this query, you can see the conditional operator between 2 binary expressions is -and.

(device.deviceOSType -contains "Android") -and (device.displayName -notcontains "LGENexus 5")

I don’t know what would be the end result and whether this will work effectively when we deploy a configuration policy via Intune to this AAD device group. I assume that this will work because I can see a difference in device icon for the device called “LGENexus 5”. And that is the device which I tried to exclude using the above query.

Reference Posts :-

New Azure portal – This will directly take you to all Groups blade https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserManagementMenuBlade/All%20groups/menuId/ 

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here